Is it wise to have three separate Azure tenants for Test, Prod, and Pre-Prod + Domain name security concern?

Question

Hello everyone,

Our IT department is pushing to set up three separate Azure tenants for Test, Production (Prod), and Pre-Prod environments. I’d like to get your thoughts on whether this is truly necessary, especially considering security, management overhead, and costs.

Security: The IT department argues that having a Public Tenant exposes our resources to the internet, which they perceive as a security risk. However, isn’t the entire concept of the Public Cloud based on the fact that resources are meant to be accessible over the internet? With the proper security configurations (such as Conditional Access, MFA, and Private Endpoints), does splitting these environments into separate tenants actually enhance security?

Wouldn't it be more efficient to implement policies at the Subscription or Management Group level to isolate environments and enforce security controls, rather than using multiple tenants, which increase management complexity?

Cost and Management: How much management overhead and extra costs are involved in maintaining multiple tenants? Are there advantages or disadvantages in terms of licensing, governance, or identity management that I should consider?

Additionally, I have a concern about the tenant’s domain name:

• If the domain name of an Azure tenant clearly reflects the company’s name (e.g., companyname.onmicrosoft.com), does this create a security risk? The IT department believes that having a company-identifiable domain name increases vulnerability. However, with MFA, Conditional Access, and other security measures in place, is this really an issue? Does the domain name itself pose any significant risk if these precautions are properly implemented?

I appreciate any feedback and recommendations you may have on this. Thank you!Hello everyone,

Our IT department is pushing to set up three separate Azure tenants for Test, Production (Prod), and Pre-Prod environments. I’d like to get your thoughts on whether this is truly necessary, especially considering security, management overhead, and costs.

Security: The IT department argues that having a Public Tenant exposes our resources to the internet, which they perceive as a security risk. However, isn’t the entire concept of the Public Cloud based on the fact that resources are meant to be accessible over the internet? With the proper security configurations (such as Conditional Access, MFA, and Private Endpoints), does splitting these environments into separate tenants actually enhance security?

Wouldn't it be more efficient to implement policies at the Subscription or Management Group level to isolate environments and enforce security controls, rather than using multiple tenants, which increase management complexity?

Cost and Management: How much management overhead and extra costs are involved in maintaining multiple tenants? Are there advantages or disadvantages in terms of licensing, governance, or identity management that I should consider?

Additionally, I have a concern about the tenant’s domain name:

• If the domain name of an Azure tenant clearly reflects the company’s name (e.g., companyname.onmicrosoft.com), does this create a security risk? The IT department believes that having a company-identifiable domain name increases vulnerability. However, with MFA, Conditional Access, and other security measures in place, is this really an issue? Does the domain name itself pose any significant risk if these precautions are properly implemented?

I appreciate any feedback and recommendations you may have on this. Thank you!

Answer 1

Hi @Ilman Hamzatov ,

Thank you for reaching out to Microsoft Q&A.

I understand that the IT department is advocating for the setup of three separate Azure tenants, and here are my thoughts on the proposed environments:

Yes, the public tenant does expose resources to the internet, which allows for user flexibility. However, you can enhance the security of a public tenant by configuring Conditional Access, Multi-Factor Authentication (MFA), and Private Endpoints.

While implementing policies at the subscription or management group level to isolate environments is a good approach, I suggest using only two tenants: a Test Tenant and a Production Tenant. This is because enabling certain policies might affect the entire Production environment, so having multiple tenants can provide a safer option.

Regarding costs and management, you could use a pay-as-you-go subscription model to avoid additional expenses. For licensing, the Test Tenant could take advantage of a 30-day free trial with a P2 license.

Lastly, the domain name itself does not pose any significant risk if proper precautions are in place. For instance, with a domain like companyname.onmicrosoft.com, users must pass an access token to access resources. Access tokens are security tokens designed for authorization, allowing authenticated users to access specific resources.

For additional information regarding access token: Access tokens in the Microsoft identity platform - Microsoft identity platform | Microsoft Learn

Hope this helps. Do let us know if you any further queries.

---

If this answers your query, do click **Accept Answer** and **Yes** for was this answer helpful. And, if you have any further query do let us know.

Regards,

Goutam Pratti